I've been looking into the various pros/cons of tokenless (particularly SMS based) and traditional token based two-factor authentication (think RSA SecurID). After doing some research, I think I have ...

I've seen a security question/requirement that a website login return the same error message for invalid password as for non-existent user. The idea being that this it makes it impossible to discover ...

I've long been under the impression that with unix, you should never login as root.
Now I've started using Virtual Private Servers over at DigitalOcean, and some advice is to use SSH keys to login as ...

I am having problems understanding how ssh really works. I know it uses a public key cryptography to encrypt messages. However, I can ssh to a server without first generating a public/private key pair ...

Lets say I'm using NFC cards for access control. NFC cards/stickers are easily readable and writable, so my worry is that the data on them could easily be cloned onto another card/sticker and bypass ...

I'm providing consultation to a company, where they have domain-joined Windows workstations. One basic requirement is that they don't want anyone (including the an administrator) to be able to login ...

Say we're using a shared key between two parties, that has been distributed using public key encryption, is it still necessary to sign any data that's encrypted using the shared key? Or is it enough ...

This question is about storing the third party credentials in the database/some secure place so that it can not be accessed by only authorized user.
Our system connect to the third party system using ...

I'm reading a lot about implementing security constraints to a REST API.
There are a lot of methods, some better than others for 3party applications or to consume my own API.
HTTP Basic + TLS (with ...

I see that the new login mechanism used by some banks in UK and also used by visa debit authentication is to ask for three random characters from your password at login (for example second, ninth and ...

Seeing as phishing is getting more popular and users are becoming less concerned about security, I am trying to come up with a solution for a new site of mine that can stop phishers. For instance, any ...

The problem:
I have an open-source client (a Firefox add-on written in JavaScript) and a server containing somewhat sensible user information: username and user history (all from YouTube). The client ...

Mozilla went live with a new service called BrowserID/Persona (announcement, background). It is intended to replace current single-sign-on solutions such as OpenID, OAuth and Facebook.
One advantage ...

Using a public/private key pair is fairly convenient for logging in to frequented hosts, but if I'm using a key pair with no password, is that any safer (or less safe) than a password? The security ...

I'm implementing a REST service that requires authentication. I cannot store any per-user state (such as a randomly-generated token) because my service does not have direct access to a database, only ...

Google and Yubico just announced the availability of cryptographic security tokens following the FIDO U2F specification. Is this just another 2FA option, or is this significantly better than solutions ...

Or is authentication essentially incompatible with anonymity?
If we have the idea that authentication is proving that someone is who they say they are and anonymity is essentially having an unknown ...

There are some websites and even programs that I use that have rediculous password restrictions. Lots of forums for instance restrict passwords to ~32 characters. Others enforce a restricted charset.
...